A company needs to store contract documents. A contract lasts for 5 years. During the 5-year period, the company must ensure that the documents cannot be overwritten or deleted. The company needs to encrypt the documents at rest and rotate the encryption keys automatically every year. Which combination of steps should a solutions architect take to meet these requirements with the LEAST operational overhead? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Store the documents in Amazon S3 and use S3 Object Lock in compliance mode., Use server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys and configure key rotation..
Why this is the answer
Storing documents in Amazon S3 with S3 Object Lock in compliance mode prevents objects from being overwritten or deleted by any user, including the root user, for the specified retention period (5 years in this case), meeting the immutability requirement. Governance mode allows some authorized users to alter or delete objects, which doesn't meet the "cannot be overwritten or deleted" requirement. Using server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys (CMKs) allows for automatic key rotation every year, as KMS CMKs can be configured for automatic annual rotation, satisfying the encryption and key rotation requirements with minimal operational overhead. SSE-S3 uses AWS-managed keys that rotate every few years, not annually, and doesn't offer the same level of control. Customer provided keys (SSE-C) require the customer to manage and rotate the keys, increasing operational overhead.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed